Woburn, MA – July 29, 2021 – Today Kaspersky announced its discovery of a unique, long-running operation, called GhostEmperor. The campaign used Microsoft Exchange vulnerabilities to target high-profile victims with an advanced toolset and bore no similarity to any known threat actor. The findings are part of Kaspersky’s APT Trends Q2 2021 report.
GhostEmperor is a Chinese-speaking threat actor that has mostly focused on targets in Southeast Asia, including several government entities and telecom companies. The group stands out because it uses a formerly unknown Windows kernel-mode rootkit. Rootkits provide remote control access over the servers they target. Acting covertly, rootkits are notorious for hiding from investigators and security solutions. To bypass the Windows Driver Signature Enforcement mechanism, GhostEmperor uses a loading scheme involving a component of an open-source project named “Cheat Engine.” This advanced toolset is unique and Kaspersky researchers see no similarity to already known threat actors. Kaspersky experts have surmised that the toolset has been in use since at least July 2020.
“As detection and protection techniques evolve, so do APT actors,” said David Emm, security expert at Kaspersky. “They typically refresh and update their toolsets. GhostEmperor is a clear example of how cybercriminals look for new techniques to use and new vulnerabilities to exploit. Using a previously unknown, sophisticated rootkit, they brought new problems to the already well-established trend of attacks against Microsoft Exchange servers.”
In addition to the growth of attacks against Microsoft Exchange servers, Kaspersky experts also highlighted the following trends in the APT landscape in Q2:
To learn more about GhostEmperor and other significant discoveries of the quarter, read the APT trends report Q2 2021 on Securelist. The report summarizes the findings of Kaspersky’s subscriber-only threat intelligence reports, which also include Indicators of Compromise (IoC) data and YARA rules to assist in forensics and malware hunting. For more information, please contact: firstname.lastname@example.org
In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:
Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.
Sawyer Van Horn